—[ Attacked Hardware ]
CPE Router, which provides Internet Access over ADSL.
—[ Severity level ]
Severity level : Critical
Impact : DNS Injection MITM
Access Vector : Network exploitable
—[ Hardware Description ]
CPE Routers which are used to provide Internet access and are directly connected with the ISPs. These routers are specifically used by millions of home users and organizations world-wide, to connect with the ISP. These devices also act as a NAT Device, providing a rudimentary DMZ, a DHCP server being embedded into the OS of these routers, is shipped out by all the CPE manufacturers.
—[ Attack Description ]
We have observed an attack vector, targeting CPE Routers used for facilitating ADSL connectivity.
The Victim, when browsing or accessing internet is directed to a server, which does not belong to the requested Domain.
The Victim has enabled DHCP on the client machine, the DNS server IP address and the Machine IP address is provided by the embedded DHCP server residing on the affected hardware.
Normally, DNS server IP address is configured at the time of installation and once the initial configuration is complete, no one bothers to make any changes to this configuration, including the configuration access password.
The attacker gained access to the router, changed the DNS server to 126.96.36.199 and also changed the password of the router. Effectively taking over the control of the DNS queries by a rogue DNS server and a Rogue IP which accepts connections.
188.8.131.52 has “A records” for in.yahoo.com, indiatimes.com and rediff.com pointing to 184.108.40.206.
In the past, we have observed DNS Cache Poisoning attacks, modification of “hosts” file but, modifying the DNS server IP of a router and also deploying a Rogue DNS server is first of its kind for me. This type of attack, opens up the flood-gates for a lot of different attack vectors.
The web-server IP address in question has links to below mentioned advertising links
Link 1:hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BQpZjMbYOT_X7KoeGiAfcmLQSweK0kQOps6idQ8CNtwHwkwkQARgBIO3RuBo4AFCDsfy1-_____8BYOXS5oO8DqABh_vn2gOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFW h0dHA6Ly8yMTIuMTEzLjM2LjgzL4ACAagDAcgDFegDNegDBegDDfUDAAAAwPUDAABAEIgGAaAGAg&num=1&cid=5GgGexj0cW8pXlxeTn4aLTAP&sig=AOD64_2XdwXuNKwt_zLnH8ll-xvW1vQTlg&client=ca-pub-3451543299263350&adurl=http://www.softlayer.com/lp/singapore-hosting&nm=2
The targeted domains are
As of this moment, this seems to be an India Centric Operation, with very few domains but may increase over a period of time. But the scope of the method used by this attack vector is global.
—[ Available Information ]
Google Adsense ID : ca-pub-3451543299263350
IP Address 1 : 220.127.116.11 DNS Server
Cloud based Service provided by linode.com is being used to deploy the DNS server. This is a paid Service
IP Address 2 : 18.104.22.168 Web Server
This server is located in JSC Ukrtelecom Data Center (Ukraine) as per the robtex records.
—[ Mitigating the Attack ]
In my previous blog-posts I had mentioned about CPE Routers being the least protected IP Device, with the least amount of security features, yet an attack vector of this type changes the security perception of the entire community. One fact which is never taken into consideration is that Firewalls, IPS, IDS are all residing behind the router.
So, how do we protect a router?
Recently, there was a telnet bug which had surfaced, hence how secure are these embedded devices, is a question everyone should ask. I am yet to ascertain, whether this bug existed in the CPE.
Secondly, if these embedded devices are affected by the bug then changing the password, as a method to mitigate the attack, doesn’t make any sense.
To mitigate this type of attack
1: Manually assign the DNS server IP address. In my case, I used 22.214.171.124
2: DeSOPA the firefox extension. Initially this Firefox extension was used to circumvent SOPA related DNS Blocks, but we have used it for circumventing the DNS MITM attack.
3: Change the router access password and ensure that telnet port is available from the internet network.
—[ The Future ]
As of this moment, it is an Advertising Revenue Generation Site but future possible scenarios are as follows:
1: Phishing Site (Cloned Web-Site) – This would be very difficult to detect as the browser’s url will be a valid but the IP would be incorrect.
2: Drive-By Download with Cloned Site
3: Transparent Proxy with http interception capabilities.
4: Tunnels? I haven’t yet come across any low-end router with tunneling capabilities but mid-range to high-end routers with telnet bug / weak passwords, do have this capability. Would anyone ever attempt redirecting the traffic?
A Network Diagram will be uploaded.
—[ The Proof ]
Screen-shot from affected system:
http://www.ipillion.com/ip/126.96.36.199 this IP has been tagged with loads of complaints.
This is the final post on DNS MITM topic. http://blog.escanav.com/?p=946